drivingcamp Hungary

PRIVACY POLICY of
DRIVINGCAMP HUNGARY ZRT.

1.The Purpose of this Policy

1.1.The purpose of this Privacy Policy (hereinafter as: the “Policy”) is to define and present the data protection and data processing principles applied by Drivingcamp Hungary Zártkörűen Működő Részvénytársaság (registered office: 2072 Zsámbék, Drivingcamp út 1., company registration number: 13-10-041330, registered by: the Company Registry Court of the Regional Court of Budapest Region, tax number: 23103513-2-13; hereinafter as: “Controller”) as well as the data protection and data processing policy of the Controller, and to provide information on the details and circumstances of the data processing actions.

1.2.The processing actions carried out by the Controller conform to the obligations defined in this Policy and in the currently effective legislation. Controller, subject to notice to the concerned audience in due time, reserves its right to amend this Policy. Controller shall pay special attention to process the personal data provided to it in the course of the data processing actions detailed in the Policy by respecting the informational self-determination right of the data subjects, in a confidential manner, by applying such appropriate security and technical measures that guarantee the security of the personal data and their processing.

1.3.In the course of the economic activities of the Controller, the services provided to the persons and entities using the Controller’s services, and operation of the website at www.drivingcamp.hu (hereinafter as: the “Website”), the Controller shall process the personal data of the data subjects visiting the Website, subscribing to the newsletter, using the services provided by the Controller and also of the customers of the webshop (hereinafter collectively referred to as: the “Data Subjects”).

1.4.This Policy shall govern any and all data processing actions carried out by the Controller, with the provision that the Controller shall have the right to change the contents of this policy at any time. Out of the different versions of this Policy, the version currently displayed on the Website or the hard copy version provided upon the concerned data processing action shall be considered as the currently effective version, hence, it is important for the Data Subjects to inspect and examine such version thoroughly, prior to giving their consent.

1.5.The data processing actions of the Controller shall comply with the requirements specified in this Policy and the respective legislation at all times.

2.General provisions I.

2.1.In terms of any and all data processing actions listed under Section 4, the following entity shall act as the Controller:

Name: Drivingcamp Hungary Zártkörűen Működő Részvénytársaság

Registered office: 2072 Zsámbék, Drivingcamp út 1.

Postal Address: 2072 Zsámbék, Drivingcamp út 1.

E-mail: [email protected]

Phone Number: 06 23 565 530

2.2.The Controller shall process the personal data always in line with the currently effective legislation, in particular:

Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation, GDPR);
Act CXII of 2011 on informational self-determination and the freedom of information (the Information Act);
Act CLV of 1997 on consumer protection (Consumer Protection Act);
Act C of 2000 on accounting (Accounting Act);
Act CVIII of 2001 on certain issues of electronic commerce services and information society services (E-commerce Act);
Act C of 2003 on electronic communications (Electronic Communications Act);
Act CXXXIII of 2005 on security services and the activities of private investigators (Security Services Act);
Act CLXXXV of 2010 on media services and mass media;
Act XLVIII of 2008 on the basic requirements and certain restrictions of commercial advertising activities (Commercial Advertising Act);
Act V of 2013 on the Civil Code (the Civil Code).

2.3.Please be informed that personal data are processed in order to ensure the optimal operation of the service provided by the Controller and use of all of its functions, and without this, the given service cannot be used or only with limited functionality. Personal data are provided on a voluntary basis. In addition to this, the services use co-called cookies, in the way determined below.

2.4.Processing of personal data

Personal data means any personal or material information that can be connected to an identified or identifiable natural person. The information which cannot be connected exclusively directly to the given natural person (such as the company data of the client or the number of website visitors) do not qualify as personal data.

data subject: any natural person who is or who can be identified directly or indirectly on the basis of any specific personal information (such as the customer, the person subscribing to a newsletter, an employee, and even a self-employed entrepreneur; however business associations are not), whose personal data gets processed;
personal data: the data relating to the data subject, in particular the name and identification number of the data subject, as well as one or more factors specific to his/her physical, physiological, mental, economic, cultural or social identity or conclusions drawn from the data with regard to the data subject (such as electronic mailing address, name, address, image, occupation);
Personal data will not be processed, unless they are specifically provided by the Data Subject in the course of using any below detailed particular service and if the Data Subject consents to the processing, or if the Controller has substantial legitimate interest to such processing (e.g.: property protection), or if processing is required by law, or if the Data Subject provides their personal data as a contracting partner.

2.5.Recording and processing of non-personal data

In the course of the use of our Website, certain data, qualifying as non-personal data, are collected for the sake of guaranteeing the technical administration of the Website.

3.Cookies and web analytics on the Controller’s website

3.1.The language selected by the visitors when using our Website (www.drivingcmamp.hu) are stored by cookies on the visitor’s computer, as long as the storage of cookies is permitted on the hardware used by the visitor. This cookie is stored on the visitor’s computer for two weeks in order to ensure that during the next visit to the Website, the content is displayed on the previously set language, automatically. If a previously provided cookie is returned by the browser, the service provider managing the cookie is able to link the current visit of the user to their previous visits in order to improve user experience.

3.2.We use the web analytics services of Google Analytics on our Website. Google Analytics saves cookies, text files onto the computer of the Data Subject, which collect user data to ensure that the use of our Website can be analysed. The information generated through the cookies (including the IP address of the Data Subject as well) are transmitted to and stored on the servers of Google Inc. (hereinafter as: “Google”) located in the USA. Google uses these information to evaluate the Website related usage information. Google prepares statistics and statements about the activity on the Website to the Controller, based on the information sent to it, furthermore it also provides to the Controller other services related to the use of the Website or the Internet. Google has the right to transfer these information to third parties, as long as this is required by law, or if these data are processed by the given third party on behalf of Google. Google shall not link the IP address of the Data Subjects to their other data. By changing the appropriate settings of the browser, the Data Subject can disable the saving of cookies at any time, however, the Controller hereby warns the Data Subject that as a result of such disabling, certain functions of the Website will not be fully available to the Data Subject.

3.2.1.By installing the add-on provided through the following link, the Data Subject can disable the activities of Google Analytics (https://tools.google.com/dlpage/gaoptout). Should you need more information about the operation of Google Analytics, please visit the following website (https://support.google.com/analytics/answer/6004245?hl=hu&ref_topic=2919631).

4.The individual data processing actions

4.1.Participation at driving technique trainings

4.1.1.The completion of the statement of participation shall be a precondition to participation at the programs and trainings organised by the Controller, so that the Controller can document that the persons participating at the trainings have granted their consent to the terms and conditions and rules and risks related to the trainings. The statement of participation can be completed at the reception as well, in hard copy.

4.1.2.Data subjects: clients participating at the trainings

4.1.3.Purpose of data processing: To verify that the consent to the participation at the trainings and driving technique programs and conditions thereof have been granted, to document the participants, to ensure the safety of the cars and the racing track, which involve increased risks.

4.1.4.Legal basis of data processing: processing is necessary for the performance of a contract to which the data subject is party, Article 6(1)(b) of the GDPR.

4.1.5.Recipients of the processing: reception, sales and marketing associates

4.1.6.Scope of processed data: Name, address, e-mail, driving licence number, year of birth, telephone number.

4.1.7.Duration of processing: until withdrawal of the consent.

4.1.8.Data processor:

Name

Identification data

Tasks of the Data Processor

PG Info Kft.

9141 Budapest, Ikrény, Sport u. 22.

developer of the website, provision of the website interface

4.2.Mercedes-Benz Driving Events

4.2.1.Controller cooperates with Mercedes-Benz Hungária Kft which offers driving technique trainings to its customers, when a new Mercedes car is purchased, in accordance with its own related policies and programs, subject to issuance of the required voucher, within the framework of this cooperation. Controller keeps a register and processes the data of the customers in order to liaise with the customers applying for the training and to organise the driving technique trainings.

4.2.2.Data subjects: customers buying new Mercedes-Benz motor-vehicles

4.2.3.Purpose of data processing: organise and hold the driving technique training for the customers.

4.2.4.Legal basis of data processing: the data subject’s voluntary consent, Article 6(1)(a) of the GDPR.

4.2.5.The processed data are transmitted to the Controller by Mercedes Benz Kft and its network of dealers, hence these data are not collected by the Controller directly from the data subjects.

4.2.6.Recipients of the processing: sales and marketing associates

4.2.7.Scope of processed data: applicant customer’s name, phone number, e-mail, license plate number of the motor-vehicle, voucher code, date of issue, and customer’s signature.

4.2.8.Duration of processing: until withdrawal of the consent

4.3.Events organised by or with the cooperation of the Controller

Controller shall register the participants of the driving technique events organised by it or with its cooperation for purpose of implementation of the event.

4.3.1.Data subjects: clients participating at the events

4.3.2.Purpose of data processing: to implement the events at the appropriate quality level.

Legal basis of processing: the data subject’s voluntary consent, Article 6(1)(a) of the GDPR.

4.3.3.Recipients of the processing:

4.3.4.Scope of processed data: Name, e-mail, phone number, company name

4.3.5.Duration of data processing: 30th day following the event.

4.3.6.Data processor:

Name

Identification data

Tasks of the Data Processor

DEEPINSIGHT Korlátolt Felelősségű Társaság
1026 Budapest, Pasaréti út 147.; cregistration number: 01 09 283825; tax number:25588198-2-41

technical implementation of the event

4.4.Recordings made by the security camera system

Controller operates an electronic surveillance system in its buildings and on the training circuit for reasons of security and quality control, and also to ensure verifiability of quality.

Location of the cameras and the designation of the controlled areas: These are determined in the information material placed at the Controller’s reception.

4.4.1.Data subjects: persons staying on the Controller’s area.

4.4.2.Purpose of data processing: property protection, quality control, protection of the life and safety of people, verifiability.

4.4.3.Legal basis of processing: the Controller has legitimate interest to use a camera system to control the events organised by it, its buildings and the training circuit, and also to ensure the protection of property and persons, Article 6(1)(f) of the GDPR.

4.4.4.Recipients of the processing: management and technical operation

4.4.5.Scope of processed data: Recording of images of the persons staying on the Controller’s area.

4.4.6.Duration of data processing: 3 days from the time of recording, except in the case of an authority or other official proceeding, where the recording is used or may be used.

4.4.7.Data processors:

Name

Identification data

Tasks of the Data Processor

Vipenda Kft.

2071 Páty, Kerekdombi út 5., company registration number: 13-09-138673, tax number: 14628771-2-13

provision of the reception service

4.4.8.Data transfer: to the competent agencies or courts, in case of any regulatory offence or criminal proceedings.

4.4.9.Scope of transferred data: recordings made by the camera system, containing the relevant information.

4.4.10.Legal basis of data transfer: Article 71(1), Article 151(2)(a) and 171(2) of the Act on Criminal Procedures, and Article 75(1)(a) and 78(3) of the Accounting Act.

4.4.11.The following persons shall have the right to view and inspect the current images transmitted by the cameras: the management of the Controller, and the data processor.

4.4.12.The authorised persons detailed above can only view the recordings recorded by the camera surveillance system operated by the Controller for purpose of providing evidence related to infringements jeopardising human life, safety of people or security of property and to identify the perpetrators, or in the case of an eventual accident, to clarify the circumstances of the accident.

4.4.13.The data subjects, the rights or legitimate interests of whom is affected by the recording of the images may request the controller to refrain from destroying or erasing the recording, until the court or authority is contacted, but for the maximum of 30 days, and simultaneously must produce evidence for their right or legitimate interest concerned. The person displayed on the recording may request information about the recording made of him/her by the electronic surveillance system, may ask for a copy, and if there are other persons on the recording, he/she may also view the recording.

4.4.14.The data controller shall enter into a record each act of viewing the recordings, the name of the person viewing the recording, as well as the reason and time of viewing.

4.5.Camera recordings for promotion purposes

4.5.1.Controller shall make camera recordings during some of its events organised in an ad hoc manner (such as anniversaries) in its buildings and on the training circuit, and shall use these recordings for promotion purposes and publish them on its website. If such a recording is made during the given event, the participant will be informed of this fact prior to signature of the statement of participation, in person, in the statement of participation or in the invitation.

4.5.2.Location of the cameras and the designation of the controlled areas: the cameras are moving (installed onto vehicles, drones), hence they do not have a pre-defined location or fixed area.

4.5.3.Data subjects: persons participating at the driving technique trainings and programs.

4.5.4.Purpose of data processing: promotion related goals.

4.5.5.Legal basis of processing: the person participating at the promotion event, the data subject gives his/her voluntary consent by the very act of his/her participation, Article 6(1)(a) of the GDPR.

4.5.6.Recipients of processing: sales and marketing associates

4.5.7.Scope of processed data: The Controller shall make image and video recordings about the participants of the trainings and programs.

4.5.8.Duration of processing: until withdrawal of the consent.

4.5.9.Typically a data processor will not be employed, if so, the data processor will be ensured by the data subject. If the controller employs its own processor for making the recordings, the data subject will be informed about the person of the processor, separately, prior to the consent.

4.6.Newsletter

4.6.1.It is important for the Controller to notify all those who are interested in its activities about its services, products and upcoming events, actions and discounts, in due time. We will send newsletters only to those subscribed to it, until the time, at the latest, the respective consent is withdrawn.

4.6.2.Data subjects: persons subscribing to the newsletter

4.6.3.Purpose of data processing: To process the data of the natural persons subscribing to the newsletter for marketing purposes, sending newsletters to them about the products, services, events, programs and possible offers provided by the Controller.

Legal basis of processing: the data subject’s voluntary consent, Article 6(1)(a) of the GDPR. You can unsubscribe from the newsletter by clicking on the link provided in any of the newsletters or by post or in e-mail.

4.6.4.Recipients of processing: sales and marketing associates

4.6.5.Scope of processed data: electronic mailing address, name.

4.6.6.Duration of data processing: until unsubscription.

4.6.7.Data processors:

Name

Identification data

Tasks of the Data Processor

DEEPINSIGHT Korlátolt Felelősségű Társaság
1026 Budapest, Pasaréti út 147.; cregistration number: 01 09 283825; tax number:25588198-2-41

technical tasks of sending of newsletters

4.7.Data processing in case of webshop purchases

4.7.1.It is crucial for the Controller to ensure that its services are easily available on the online interface as well, hence the Controller makes these services accessible through its website as well. In the course of sales made in this way, personal data are processed.

4.7.2.Purpose of data processing: To execute the online selling of the services provided by the Controller.

4.7.3.Legal basis of data processing: Processing is based on the data subject’s voluntary consent, Article 6(1)(a) of the GDPR.

4.7.4.Recipients of processing: sales and marketing associates

4.7.5.Scope of processed data: The Data Subject’s name, phone number, electronic mailing address, address, the data of the selected training, billing data.

4.7.6.Duration of processing: 8 years for the accounting documents issued in terms of the sale, in accordance with Article 169(2) of the Accounting Act, and for all other data until withdrawal of the consent.

4.7.7.Data processors:

Name

Identification data

Tasks of the Data Processor

PG Info Kft.

9141 Budapest, Ikrény, Sport u. 22.

Website development and management

Comp-Dock Kft.

1033 Budapest, Szentendrei út 89-95., company registration number: 13-09-182714, tax number: 25740040-2-41

server operation, provision of the required technical background, data storage

4.8.Vacancy notices (job offers)

In order to ensure that the Controller is able to select the co-workers meeting its actual demands, it is necessary to get to know the personal data of the data subjects.

4.8.1.Data subjects: candidates applying for the jobs

4.8.2.Purpose of data processing: assessment of the applicants, evaluation of their eligibility for the given position

4.8.3.Legal basis of processing: the data subject’s voluntary consent, Article 6(1)(a) of the GDPR.

4.8.4.Recipients of the processing: HR associates

4.8.5.Scope of processed data: name, age, address, e-mail, phone number, professional experience, qualifications, field of interest,

4.8.6.Duration of data processing: until establishment of the employment relationship or rejection.

4.9.Call center

Controller is operating a call center, as a supplement to the services provided to its consumers and customers, to record the training orders, and to handle complaints, and when this call center is used, the phone calls made with the data subjects are recorded. The data subject has the right to interrupt the call at the beginning of the conversation, following (or prior to) the information about the recording, at any time, and contact the Controller in any other way, if he/she does not intend to consent to the sound recording.

4.9.1.Data subjects: persons using the call center

4.9.2.Purpose of data processing: recording of purchase orders, complaint handling

4.9.3.Legal basis of processing: the data subject’s voluntary consent, Article 6(1)(a) of the GDPR. If a complaint is filed, it is a statutory obligation to record the data (pursuant to Article 17/A of the Consumer Protection Act).

4.9.4.Recipients of processing: sales and marketing associates

4.9.5.Scope of processed data: name, phone number, address, license plate number, ordered product. In the case of a complaint: name, phone number, address, the description, time and identifier of the given complaint.

4.9.6.Duration of data processing: for orders, the 30th day following the provision of the given service, whereas 5 years for complaints (pursuant to Article 17/A of the Consumer Protection Act).

4.9.7.Data processors:

Name

Identification data

Tasks of the Data Processor

Protocall 2009 Kft.

1134 Budapest, Tüzér u. 39.

registration for participation at the training, recording of complaints, calls

4.10.Liaising with business partners

The business partners of the Controller are primarily non-natural persons, hence typically no personal data are processed during the contractual relationship with these business partners. The data of the natural person contact persons of these partners may be an exception to this, as well as the data of the self-employed entrepreneur business partners (if any), whose personal data are processed by the Controller in order to perform the respective contract.

4.10.1.Data subjects: natural person contact persons and self-employed entrepreneur partners

4.10.2.Purpose of data processing: To perform the contract by and between the Controller and the business partner, and to liaise during the performance.

4.10.3.Legal basis of data processing: Processing regarding the contracting party, Article 6(1)(b) of the GDPR, performance of the contract, and Article 6(1)(f) of the GDPR, Controller’s legitimate interest.

4.10.4.Recipients of processing: sales and marketing associates

4.10.5.Scope of processed data:

for natural person contact persons: name, position, email, phone number, identification of the contract.
for self-employed entrepreneur contracting partners: name, registered office, registration number, tax ID, furthermore account number and other data required due to the nature of the given contract, if expressly necessary.

4.10.6.Duration of data processing: the data of the self-employed entrepreneur contracting partners and contact persons provided under the respective contract are archived as part of the contract, at least for 5 years following the performance or termination of the contract, or until the expiry of the period of limitation.

5.General provisions II.

5.1.Data Security

5.1.1.Controller shall make all necessary technical and security measures required to protect its data and the Data Subject’s personal data against destruction or abuse. Controller shall continuously develop and improve its technical security measures, taking into account the reasonably accessible technology, by applying the gradually improved solutions.

5.1.2.Our Website and the communications made through it are encrypted by SSL (Secure Socket Layer) protocol to ensure increased security. The data stored on the server can be accessed by a user name plus password, whereas remote access to the internal network is ensured by an encrypted, password protected data connection. These remote access actions are logged. The physical access to the server is limited, accessible by a given key, logged.

5.2.Comments or remarks in connection with the data processing

Should you have any questions regarding the processing of your personal data, please contact the data protection officer of the Controller, who will be at your disposal in connection with enquiries, suggestions or complaints as well.

Should you have any questions or comments, please send them to the following e-mail address: [email protected]

5.3.Rights and Legal Remedies

5.4.Data subjects shall have the following rights and legal remedies in connection with all data processing actions:

right to transparent information;
right of access;
right to rectification;
right to erasure;
right to restriction of processing;
right to data portability;
right to object;
right to withdraw consent;
right to legal remedy, and
the right to file complaints.

To exercise the above rights, unless otherwise specified, the data subject is required to make a contact, to be initiated via any of the contact details provided by the Controller.

5.4.1.Right to information

At the data subject’s request, the Controller shall take appropriate measures to provide any information referred to in Articles 13 and 14 of the GDPR and any communication under Articles 15 to 22 and 34 relating to processing to the data subject in a properly concise, transparent, intelligible and easily accessible form, using clear and plain language.

5.4.2.Data subject’s right to access

The data subject shall have the right to obtain from the Controller confirmation as to whether or not personal data concerning him or her are being processed, and, where that is the case, access to the personal data and the following information: the purposes of data processing; the categories of personal data concerned; the recipients or categories of recipient to whom the personal data have been or will be disclosed, in particular recipients in third countries or international organisations; the envisaged period for which the personal data will be stored; the right to rectification, erasure or restriction of processing, and the right to object; the right to lodge a complaint with a supervisory authority; information about the data sources; the existence of automated decision-making, including profiling, and meaningful information about the logic involved, as well as the significance and the envisaged consequences of such processing for the data subject. Where personal data are transferred to a third country or to an international organisation, the data subject shall have the right to be informed of the appropriate safeguards relating to the transfer. The Controller shall provide a copy of the personal data undergoing processing to the data subject. For any further copies requested by the data subject, the Controller may charge a reasonable fee based on administrative costs, pursuant to the authorization granted by the GDPR.

At the data subject’s request, the information will be provided by the Controller in electronic form. The right to information can be requested in writing, at the contact details of the controller specified in this policy.

At the data subject’s request, after his/her identity is verified by sufficient and reliable proof, the Controller may provide information orally as well.

5.4.3.Right to rectification

The Controller shall rectify the personal data, if it is incorrect and the correct personal data is available to the Controller.

5.4.4.Right to erasure

The data subject shall have the right to obtain from the Controller the erasure of personal data concerning him or her without undue delay, where one of the following grounds applies:

the personal data are no longer necessary in relation to the purposes for which they were collected or otherwise processed;
the data subject withdraws his/her consent underlying the processing and there is no other legal basis for the processing;
the data subject objects to the processing and there are no overriding legitimate grounds for the processing;
the personal data have been unlawfully processed;
the personal data have to be erased for compliance with a legal obligation in Union or Member State law to which the Controller is subject;
the personal data have been collected in relation to the offer of information society services.

The erasure of data cannot be initiated, if the processing is required: for exercising the right of freedom of expression and information; for compliance with a legal obligation which requires processing by Union or Member State law to which the controller is subject or for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller; processing is necessary for reasons of public interest in the area of public health, or for archiving, scientific or historical research purposes or statistical purposes, in the public interest; or for the establishment, exercise or defence of legal claims.

5.4.5.Right to restriction of processing

The data subject shall have the right to obtain from the Controller restriction of processing where one of the following applies:

the accuracy of the personal data is contested by the data subject, in which case the restriction shall be for a period enabling the verification of the accuracy of the personal data;
the processing is unlawful and the data subject opposes the erasure of the personal data and requests the restriction of their use instead;
the controller no longer needs the personal data for the purposes of the processing, but they are required by the data subject for the establishment, exercise or defence of legal claims; or
the data subject has objected to processing; pending the verification whether the legitimate grounds of the controller override those of the data subject.

Where processing has been restricted, the personal data shall, with the exception of storage, only be processed with the data subject's consent or for the establishment, exercise or defence of legal claims or for the protection of the rights of another natural or legal person or for reasons of important public interest of the Union or of a Member State.

The data subject shall be informed by the Controller before the restriction of processing is lifted.

5.4.6.Right to data portability

The data subject shall have the right to receive the personal data concerning him or her, which he or she has provided to the controller, in a structured, commonly used and machine-readable format and have the right to transmit those data to another controller.

5.4.7.Right to object

The data subject shall have the right to object, on grounds relating to his or her particular situation, at any time to processing of personal data concerning him or her, when the processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller, or when it is required to enforce the legitimate interests of the data controller or a third party, including also profiling based on the mentioned provisions.

In the event of objection, the Controller shall no longer process the personal data unless there are such compelling legitimate grounds for the processing which override the interests, rights and freedoms of the data subject or for the establishment, exercise or defence of legal claims.

Where personal data are processed for direct marketing purposes, the data subject shall have the right to object at any time to processing of personal data concerning him or her for such marketing, which includes profiling to the extent that it is related to such direct marketing. Where the data subject objects to processing for direct marketing purposes, the personal data shall no longer be processed for such purposes by the Controller.

5.4.8.The right to withdraw the consent:

The data subject shall have the right to withdraw his or her consent at any time. The withdrawal of consent shall not affect the lawfulness of the processing based on consent, executed before the withdrawal of consent.

5.4.9.Procedural Rules

The Controller shall provide information on action taken on a request under Articles 15 to 22 of the GDPR to the data subject without undue delay and in any event within one month of receipt of the request.

That period may be extended by two further months where necessary, taking into account the complexity and number of the requests.

The controller shall inform the data subject of any such extension within one month of receipt of the request, together with the reasons for the delay. Where the data subject makes the request by electronic means, the information shall be provided by electronic means, unless otherwise requested by the data subject.

If the Controller does not take action, the Controller shall inform the data subject without delay and at the latest within one month of receipt of the request of the reasons for not taking action and on the possibility of lodging a complaint with a supervisory authority and seeking a judicial remedy.

Controller shall provide the requested information always free of charge. However, where the requests of the data subject are manifestly unfounded or excessive, in particular because of their repetitive character, the Controller may either charge a reasonable fee taking into account the administrative costs of providing the information or communication or taking the action requested or refuse to act on the request. In this case the Controller shall charge the fee on the basis of the labour force used, the remuneration due to the consultants and the other costs incurred.

The Controller shall provide a copy of the personal data undergoing processing to the data subject. For any further copies requested by the data subject, the Controller may charge a reasonable fee based on administrative costs. Where the data subject makes the request by electronic means, and unless otherwise requested by the data subject, the information shall be provided in electronic form.

The Controller shall communicate any rectification or erasure of personal data or restriction of processing carried out by it, to each recipient to whom the personal data have been disclosed, unless this proves impossible or involves disproportionate effort. The Controller shall inform the data subject about those recipients if the data subject requests it.

5.4.10.Compensation (indemnification) and aggravated damages (compensation for injury to feelings):

The Controller shall be liable for the damages caused as a result of unlawful processing of the data subject’s data or violation of the data security requirements. The processor shall be liable for the damage caused by processing only where it has not complied with any obligations defined by law, specifically directed to processors. Where more than one controller or processor, or both a controller and a processor, are involved in the same processing and where they are responsible for any damage caused by processing, each controller or processor shall be held liable for the entire damage (joint and several liability).

If the personality rights of the data subject are violated, the data subject shall have the right to claim aggravated damages (compensation for injury to feelings) according to the provisions of the Civil Code.

The controller or processor shall be exempt from liability if it proves that it is not in any way responsible for the event giving rise to the damage.

The Controller shall not pay the damages and shall not pay aggravated damages, as long as the damage or the injury caused as a result of violation of personality rights originated from the wilful (intentional) or grossly negligent conduct of the data subject.

5.4.11.The right to bring the case to court

The data subjects, if their rights are violated, can turn to the court (having competence either according to the defendant’s registered seat or the data subject’s domicile, according to the data subject’s choice) for action against the Controller. The court shall hear the case in an accelerated procedure. Please be informed that the legal action started in connection with the protection of personal data shall be exempt from duties.

5.4.12.Filing a complaint at the Data Protection Authority

If your rights are violated in connection with the processing of your personal data or in the course of exercising of your rights, you may also turn to the Hungarian National Authority for Data Protection and Freedom of Information.

Name: Hungarian National Authority for Data Protection and Freedom of Information

Registered office: 1125 Budapest, Szilágyi Erzsébet fasor 22/C.

Postal address: 1530 Budapest, Pf.: 5.

Website: http://www.naih.hu